It so life

love as life

21. Java Authentication and Authorization Service

21. Java Authentication and Authorization Service (JAAS) Provider

Java Authentication and Authorization Service (JAAS) ProviderPrev Part V. Additional Topics Next

Java Authentication and Authorization Service (JAAS) Provider

21.1 Overview

Spring Security provides a package able to delegate authentication requests to the Java Authentication and Authorization Service (JAAS). This package is discussed in detail below.

21.2 AbstractJaasAuthenticationProvider

The

AbstractJaasAuthenticationProvider
is the basis for the provided JAAS

AuthenticationProvider
implementations. Subclasses must implement a method that creates the

LoginContext
. The

AbstractJaasAuthenticationProvider
has a number of dependencies that can be injected into it that are discussed below.

21.2.1 JAAS CallbackHandler

Most JAAS

LoginModule
s require a callback of some sort. These callbacks are usually used to obtain the username and password from the user.

In a Spring Security deployment, Spring Security is responsible for this user interaction (via the authentication mechanism). Thus, by the time the authentication request is delegated through to JAAS, Spring Security's authentication mechanism will already have fully-populated an

Authentication
object containing all the information required by the JAAS

AuthorityGranter
s given that every JAAS principal has an implementation-specific meaning. However, there is a

TestAuthorityGranter
in the unit tests that demonstrates a simple

AuthorityGranter
implementation.

21.3 DefaultJaasAuthenticationProvider

The

DefaultJaasAuthenticationProvider
allows a JAAS

Configuration
object to be injected into it as a dependency. It then creates a

LoginContext
using the injected JAAS

Configuration
. This means that

DefaultJaasAuthenticationProvider
is not bound any particular implementation of

Configuration
as

JaasAuthenticationProvider
is.

21.3.1 InMemoryConfiguration

In order to make it easy to inject a

Configuration
into

DefaultJaasAuthenticationProvider
, a default in memory implementation named

InMemoryConfiguration
is provided. The implementation constructor accepts a

Map
where each key represents a login configuration name and the value represents an

Array
of

AppConfigurationEntry
s.

InMemoryConfiguration
also supports a default

Array
of

AppConfigurationEntry
objects that will be used if no mapping is found within the provided

Map
. For details, refer to the class level javadoc of

InMemoryConfiguration
.

21.3.2 DefaultJaasAuthenticationProvider Example Configuration

While the Spring configuration for

InMemoryConfiguration
can be more verbose than the standarad JAAS configuration files, using it in conjuction with

DefaultJaasAuthenticationProvider
is more flexible than

JaasAuthenticationProvider
since it not dependant on the default

Configuration
implementation.

An example configuration of

DefaultJaasAuthenticationProvider
using

InMemoryConfiguration
is provided below. Note that custom implementations of

Configuration
can easily be injected into

DefaultJaasAuthenticationProvider
as well.

## 21.4 JaasAuthenticationProvider
The
JaasAuthenticationProvider
assumes the default
Configuration
is an instance of ConfigFile. This assumption is made in order to attempt to update the
Configuration
. The
JaasAuthenticationProvider
then uses the default
Configuration
to create the
LoginContext
.
Let’s assume we have a JAAS login configuration file,
/WEB-INF/login.conf
, with the following contents:
JAASTest { sample.SampleLoginModule required; };
Like all Spring Security beans, the
JaasAuthenticationProvider
is configured via the application context. The following definitions would correspond to the above JAAS login configuration file:

21.5 Running as a Subject

If configured, the

JaasApiIntegrationFilter
will attempt to run as the

Subject
on the

JaasAuthenticationToken
. This means that the

Subject
can be accessed using:

Subject subject = Subject.getSubject(AccessController.getContext());

This integration can easily be configured using the jaas-api-provision attribute. This feature is useful when integrating with legacy or external API's that rely on the JAAS Subject being populated.
PrevUpNext20. JSP Tag Libraries Home 22. CAS Authentication